All articles tagged with #cisa
CISA and international partners issued an alert about ongoing exploitation of Cisco SD-WAN vulnerabilities (CVE-2026-20127 and CVE-2022-20775), adding the first to the KEV catalog, and mandated federal agencies under Emergency Directive 26-03 to inventory, patch, collect artifacts, and hunt for evidence of compromise, while Cisco and partner agencies publish hardening and threat-hunting guidance.
CISA warns of a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV models that allows an unauthenticated attacker to change the recovery email on a device account, enabling account takeover and unauthorized access to camera feeds; as of Feb 17 there were no known public exploits; mitigations include limiting network exposure, isolating devices behind firewalls, and using secure VPN remote access; Honeywell has not issued a public advisory and users should contact support for patch guidance.
CISA added four flaws to the Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-2441 (Chrome use-after-free), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload leading to command execution), CVE-2020-7796 (Zimbra Collaboration Server SSRF), and CVE-2008-0015 (Windows Video ActiveX buffer overflow). Google confirms an in-the-wild exploit for CVE-2026-2441; GreyNoise documents about 400 IPs exploiting CVE-2020-7796 across several countries; the CVE-2008-0015 exploit can download additional malware like Dogkild and alter system files/hosts. The TeamT5 exploitation vector remains unclear. Federal agencies are urged to patch by March 10, 2026.
CISA directed federal agencies to patch CVE-2024-43468, a SQL injection flaw in Microsoft Configuration Manager (SCCM) that is now being actively exploited in attacks. The vulnerability was patched by Microsoft in October 2024, but exploitation was later shown in PoC code, and CISA warns that unpatched systems pose significant risk. Agencies must apply mitigations by March 5 under BOD 22-01, and CISA recommends that organizations outside federal use vendor guidance to secure affected systems as soon as possible.
CISA's Binding Operational Directive 26-02 requires Federal Civilian Executive Branch agencies to identify and decommission end-of-life edge devices (routers, firewalls, switches) that no longer receive updates. Agencies must inventory EOS devices within 3 months, decommission EOS gear within 12 months, and replace identified devices within 18 months with vendor-supported equipment, with continuous discovery inventories to be in place within 24 months. The mandate aims to reduce exposure to exploits targeting outdated edge devices; it applies to FCEB agencies, with encouragement for others to follow.
Republicans are broadening their critique of Homeland Security Secretary Kristi Noem beyond the Minneapolis immigration fallout, highlighting perceived missteps at FEMA and the agency’s cyber unit (CISA), concerns about transparency with Congress, and internal leadership tensions, even as Trump expresses support for Noem and GOP lawmakers weigh how DHS should be run.
Bridget Bean, the former acting director of the Cybersecurity and Infrastructure Security Agency, tells Politico that without Senate-confirmed leaders DHS agencies are not functioning effectively, describing the leadership gap as a ‘hot mess.’ She points to about 25 top DHS roles that are vacant or filled by acting officials, budget and personnel cuts at CISA, and a stalled nomination process for Sean Plankey, which undermines a unified, long-term strategy for homeland security and cybersecurity.
Madhu Gottumukkala, the interim head of the Cybersecurity and Infrastructure Security Agency, uploaded contracting documents marked 'for official use only' to a public ChatGPT last summer, triggering DHS security alerts; the files were not classified, but DHS opened an internal review to assess potential harm and handling of official-use information, highlighting AI-use risks within the agency.
CISA warns that the actively exploited VMware vCenter Server remote-code-execution flaw CVE-2024-37079 is being used in the wild and orders U.S. federal agencies to patch within three weeks, citing a DCERPC heap overflow that enables easy remote control with no user interaction. Broadcom notes there are no mitigations, advising immediate patches to the latest vCenter Server and Cloud Foundation releases.
CISA added CVE-2024-37079, a critical heap-overflow flaw in Broadcom VMware vCenter Server, to the KEV catalog after evidence of active exploitation; Broadcom patched CVE-2024-37079 (and CVE-2024-37080) in June 2024, with researchers Hao Zheng and Zibo Li linking related DCE/RPC flaws; a Black Hat Asia 2025 presentation notes two additional CVEs (CVE-2024-38812/38813) patched later, and federal agencies must upgrade to the latest version by Feb 13, 2026 to stay protected.
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation: CVE-2025-68645 (PHP remote file inclusion in Synacor Zimbra Collaboration Suite; CVSS 8.8; fixed in v10.1.13), CVE-2025-34026 (authentication bypass in Versa Concerto SD-WAN; CVSS 9.2; fixed in 12.2.1 GA), CVE-2025-31125 (improper access control in Vite; CVSS 5.3; fixed across multiple versions), and CVE-2025-54313 (embedded malicious code in eslint-config-prettier as part of a supply-chain attack with Scavenger Loader; CVSS 7.5; linked to July 2025 phishing campaigns). Exploitation of CVE-2025-68645 has been observed since January 14, 2026; details on the others’ exploitation are not provided. FCEB agencies must patch by February 12, 2026 under BOD 22-01.
CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-31125 and CVE-2025-34026 affecting Versa software (including the Concerto SD-WAN) via dev-exposure and Traefik misconfig, CVE-2025-68645 in Zimbra Webmail Classic UI (local file inclusion), and a supply-chain issue in eslint-config-prettier (CVE-2025-54313) tied to Prettier. Patches or mitigations exist for affected products; US federal agencies must apply updates or stop using the products by February 12, 2026. The status of ransomware-related exploitation remains unknown.
Senior DHS officials want to sponsor a TS/SCI secure facility (SCIF) at Dakota State University in Sioux Falls, SD, but current and former CISA/DHS staff say there’s no clear national-security need for a SD-based SCIF and warn about funding, accreditation costs, and potential political favoritism toward the Noem-aligned university; the plan, tied to a March executive order, would require university construction and federal involvement only in accreditation, raising questions about whether it’s worth the optics and expense given limited regional demand for highly classified space.
The article discusses key cybersecurity issues to watch in 2026, including the upcoming White House national cyber strategy focused on shaping adversary behavior, the evolving role of AI in cyber defense and threats, the reauthorization of CISA authorities, new cyber incident reporting rules, and leadership gaps within U.S. cybersecurity agencies.
Acting CISA director Madhu Gottumukkala failed a polygraph test, leading to an investigation and suspension of at least six staff members who organized the test, raising concerns about leadership and accountability within the agency amid ongoing personnel and leadership instability.